CVE-2025-63918 - Adobe PDFPatcher Directory Traversal Vulnerability
CVE ID : CVE-2025-63918
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : PDFPatcher executable does not validate user-supplied file paths, allowing directory traversal attacks allowing attackers to upload arbitrary files to arbitrary locations.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63918
Published : Nov. 17, 2025, 5:15 p.m. | 23 minutes ago
Description : PDFPatcher executable does not validate user-supplied file paths, allowing directory traversal attacks allowing attackers to upload arbitrary files to arbitrary locations.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58407 - GPU DDK - TOCTOU bug affecting psFWMemContext->uiPageCatBaseRegSet
CVE ID : CVE-2025-58407
Published : Nov. 17, 2025, 5:18 p.m. | 21 minutes ago
Description : Kernel or driver software installed on a Guest VM may post improper commands to the GPU Firmware to exploit a TOCTOU race condition and trigger a read and/or write of data outside the allotted memory escaping the virtual machine.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58407
Published : Nov. 17, 2025, 5:18 p.m. | 21 minutes ago
Description : Kernel or driver software installed on a Guest VM may post improper commands to the GPU Firmware to exploit a TOCTOU race condition and trigger a read and/or write of data outside the allotted memory escaping the virtual machine.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55058 - Apache Struts SQL Injection
CVE ID : CVE-2025-55058
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : CWE-20 Improper Input Validation
Severity: 4.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55058
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : CWE-20 Improper Input Validation
Severity: 4.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55059 - Apache Struts Cross-site Scripting Vulnerability
CVE ID : CVE-2025-55059
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55059
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64342 - ESF-IDF's ESP32 Bluetooth Controller Has an Invalid Access Address Vulnerability
CVE ID : CVE-2025-64342
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64342
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64756 - glob CLI: Command injection via -c/--cmd executes matches with shell:true
CVE ID : CVE-2025-64756
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64756
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : Glob matches files using patterns the shell uses. From versions 10.3.7 to 11.0.3, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in version 11.1.0.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64758 - @dependencytrack/frontend Vulnerable to Persistent Cross-Site-Scripting via Welcome Message
CVE ID : CVE-2025-64758
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64758
Published : Nov. 17, 2025, 6:15 p.m. | 3 hours, 24 minutes ago
Description : @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44654 - PHPGurukul Complaint Management System SQL Injection Vulnerability
CVE ID : CVE-2024-44654
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the email and mobileno parameters in reset-password.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44654
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the email and mobileno parameters in reset-password.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44655 - PHPGurukul Complaint Management System Cross Site Scripting (XSS)
CVE ID : CVE-2024-44655
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) via the search parameter in user-search.php.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44655
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) via the search parameter in user-search.php.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44658 - PHPGurukul Complaint Management System SQL Injection
CVE ID : CVE-2024-44658
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the subcategory and category parameters in subcategory.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44658
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the subcategory and category parameters in subcategory.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44660 - PHPGurukul Online Shopping Portal SQL Injection
CVE ID : CVE-2024-44660
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the fullname, emailid, and contactno parameters in login.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44660
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the fullname, emailid, and contactno parameters in login.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44662 - PHPGurukul Online Shopping Portal SQL Injection
CVE ID : CVE-2024-44662
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the username parameter in the admin page.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44662
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the username parameter in the admin page.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44663 - PHPGurukul Online Shopping Portal SQL Injection
CVE ID : CVE-2024-44663
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the product parameter in search-result.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44663
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the product parameter in search-result.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-46335 - PHPGurukul Complaint Management System Cross Site Scripting (XSS)
CVE ID : CVE-2024-46335
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerble to Cross Site Scripting (XSS) via the fromdate and todate parameters in between-date-userreport.php.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-46335
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : PHPGurukul Complaint Management System 2.0 is vulnerble to Cross Site Scripting (XSS) via the fromdate and todate parameters in between-date-userreport.php.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13216 - Apache HTTP Server Remote Code Execution
CVE ID : CVE-2025-13216
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13216
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63292 - Freebox Exposes Subscribers' IMSI Identifiers in Plaintext
CVE ID : CVE-2025-63292
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1–r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. An attacker located within Wi-Fi range (~100 meters) can passively capture these frames without requiring user interaction or elevated privileges. The disclosed IMSI enables device tracking, subscriber correlation, and long-term monitoring of user presence near any broadcasting Freebox device. The vendor acknowledged the vulnerability, and the `FreeWifi_secure` service is planned for full deactivation by 1 October 2025.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63292
Published : Nov. 17, 2025, 7:16 p.m. | 2 hours, 24 minutes ago
Description : Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1–r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. An attacker located within Wi-Fi range (~100 meters) can passively capture these frames without requiring user interaction or elevated privileges. The disclosed IMSI enables device tracking, subscriber correlation, and long-term monitoring of user presence near any broadcasting Freebox device. The vendor acknowledged the vulnerability, and the `FreeWifi_secure` service is planned for full deactivation by 1 October 2025.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44659 - PHPGurukul Online Shopping Portal SQL Injection
CVE ID : CVE-2024-44659
Published : Nov. 17, 2025, 8:15 p.m. | 1 hour, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the email parameter in forgot-password.php.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44659
Published : Nov. 17, 2025, 8:15 p.m. | 1 hour, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the email parameter in forgot-password.php.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44661 - PHPGurukul Online Shopping Portal Cross Site Scripting (XSS)
CVE ID : CVE-2024-44661
Published : Nov. 17, 2025, 8:15 p.m. | 1 hour, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to Cross Site Scripting (XSS) via the quantity parameter in my-cart.php.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44661
Published : Nov. 17, 2025, 8:15 p.m. | 1 hour, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to Cross Site Scripting (XSS) via the quantity parameter in my-cart.php.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-44664 - PHPGurukul Online Shopping Portal SQL Injection Vulnerability
CVE ID : CVE-2024-44664
Published : Nov. 17, 2025, 8:15 p.m. | 1 hour, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the name, summary, review, quality, price, and value parameters in product-details.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-44664
Published : Nov. 17, 2025, 8:15 p.m. | 1 hour, 24 minutes ago
Description : PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the name, summary, review, quality, price, and value parameters in product-details.php.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13298 - itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection
CVE ID : CVE-2025-13298
Published : Nov. 17, 2025, 8:15 p.m. | 1 hour, 24 minutes ago
Description : A vulnerability was detected in itsourcecode Web-Based Internet Laboratory Management System 1.0. This affects an unknown function of the file /enrollment/controller.php. Performing manipulation results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13298
Published : Nov. 17, 2025, 8:15 p.m. | 1 hour, 24 minutes ago
Description : A vulnerability was detected in itsourcecode Web-Based Internet Laboratory Management System 1.0. This affects an unknown function of the file /enrollment/controller.php. Performing manipulation results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13299 - itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection
CVE ID : CVE-2025-13299
Published : Nov. 17, 2025, 8:15 p.m. | 1 hour, 24 minutes ago
Description : A flaw has been found in itsourcecode Web-Based Internet Laboratory Management System 1.0. This impacts an unknown function of the file /user/controller.php. Executing manipulation can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13299
Published : Nov. 17, 2025, 8:15 p.m. | 1 hour, 24 minutes ago
Description : A flaw has been found in itsourcecode Web-Based Internet Laboratory Management System 1.0. This impacts an unknown function of the file /user/controller.php. Executing manipulation can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...